SAN FRANCISCO — The Pentagon on Thursday took a major step designed to instill a measure of fear in potential cyberadversaries, releasing a new strategy that for the first time explicitly discusses the circumstances under which cyberweapons could be used against an attacker, and naming the countries it says present the greatest threat: China, Russia, Iran and North Korea.
The policy, announced in a speech at Stanford University by Defense Secretary Ashton B. Carter, represents the fourth time in four months that the Obama administration has named suspected hackers or announced new strategies designed to raise the cost of cyberattacks.
A previous strategy, released in 2011, was less detailed and only alluded to the new arsenal of cyberweapons that the Pentagon was deploying. That strategy talked vaguely about adversaries, naming none.
But President Obama’s decision to publicly name North Korea’s leaders for ordering the largest destructive attack on an American target, the announcement of new sanctions against state-sponsored and criminal hackers, and the indictment of five members of the People’s Liberation Army for attacking American corporate targets all reflect a sea change in administration policy.
American officials have fumed for years that cyberattacks were largely cost-free. Now, much as Presidents Truman and Eisenhower struggled to define circumstances that could prompt a nuclear response from the United States, Mr. Obama and his aides are beginning to lay out conditions under which the nation would employ cyberattacks — either in retaliation for a strike, as an offensive weapon for conflict or in covert action. They have made no mention of the central role the United States played in the large cyberstrike against Iran’s nuclear program.
In his speech at Stanford, Mr. Carter revealed that — like the White House and the State Department — the Pentagon found itself the victim of a cyberintrusion months ago.
“The sensors that guard DoD’s unclassified networks detected Russian hackers accessing one of our networks,” he said, saying the attack exploited “an old vulnerability in one of our legacy networks that hadn’t been patched.” He said that a “crack team of incident responders” had “quickly kicked them off the network.”
Continue reading the main story
But administration officials would not say if the attack bore strong similarities to attacks on the White House and the State Department last year, which also appear to be of Russian origin — though the administration has not named the adversary, as Mr. Carter did on Thursday.
Mr. Carter’s comments came during an annual lecture at Stanford named for Sidney Drell, a physicist and arms control expert — the defense secretary studied under him. Mr. Carter admitted that, as a postdoctoral fellow, he often lingered in the Drell home in hopes the professor’s wife “would invite me in to dinner, which she usually did.”
He returned to the campus to update strategy to fit the age of probe, thievery and assault over computer networks. At the core of the cyberstrategy published by the Pentagon on Thursday was a hierarchy of cyberattacks.
Advertisement
The strategy said that routine attacks should be fended off by companies. The Department of Homeland Security is responsible for detecting more complex attacks and helping the private sector defend against them.
But, in a significant declaration, about 2 percent of attacks on American systems, officials say, may rise to the level of prompting a national response — led by the Pentagon and through the military’s Cyber Command, which is based alongside the National Security Agency in Maryland.
“As a matter of principle, the United States will seek to exhaust all network defense and law enforcement options to mitigate any potential cyberrisk to the U.S. homeland or U.S. interests before conducting a cyberspace operation,” the strategy says.
But it adds that “there may be times when the president or the secretary of defense may determine that it would be appropriate for the U.S. military to conduct cyberoperations to disrupt an adversary’s military related networks or infrastructure so that the U.S. military can protect U.S. interests in an area of operations. For example, the United States military might use cyberoperations to terminate an ongoing conflict on U.S. terms, or to disrupt an adversary’s military systems to prevent the use of force against U.S. interests.” That last phrase seemed to leave open the door for pre-emptive cyberattacks.
Until now, most American cyberattacks on adversaries have been covert operations.
Mr. Carter, questioned by Amy Zegart, a political science professor who directs Stanford’s cyberinitiatives, defined a major cyberattack as “something that threatens significant loss of life, destruction of property or lasting economic damage.” That could cover myriad daily attacks, but Mr. Carter acknowledged that in the biggest case to date — the attack on Sonylast November — the president chose to respond with sanctions on North Korea, “not in cyberspace.”
At the heart of the diplomatic, economic and threatened military responses is the concept of deterrence — something that the United States had a far easier time establishing in the nuclear arena than it has had in cyberspace, where it is difficult to establish exactly who launched them.
“Deterrence is partially a function of perception,” the new strategy says. “It works by convincing a potential adversary that it will suffer unacceptable costs if it conducts an attack on the United States, and by decreasing the likelihood that a potential adversary’s attack will succeed. The United States must be able to declare or display effective response capabilities to deter an adversary from initiating an attack; develop effective defensive capabilities to deny a potential attack from succeeding; and strengthen the overall resilience of U.S. systems to withstand a potential attack if it penetrates the United States’ defenses.”
But as Mr. Carter acknowledged, such a policy is easier to declare than to make vivid. The head of Cyber Command, Adm. Michael S. Rogers, has often declared that the price of conducting cyberattacks is simply too low for many countries to resist.
Mr. Carter also used his speech to announce a new initiative in which the Pentagon will invest in In-Q-Tel, the intelligence agency’s investing arm, and new programs to allow cyberprofessionals to enter the Defense Department for short stints rather than rise through the ranks.